• Home

• Industries
  • Financial Services
  • Government
  • Healthcare
  • Higher Education
  • Legal
  • Public Companies
  • Public Utilities
  • Retail

• Solutions
  • IT Audit Services
  • IT Risk Assessment Services
  • IT Security Planning
  • PCI Compliance Services
  • Application Code Review
  • Vulnerability Scanning
  • Penetration Testing

• News & Events
  • Events
  • Webinars
  • In The News
  • Press Releases

• About Us
  • Overview
  • Management
  • Partners

• Careers

• Contact Us

Merchants

Any merchant that, stores, processes or transmits cardholder data must comply with the Payment Card Industry (PCI) Data Security Standard (DSS) published by the PCI Security Standards Council. While compliance is mandatory, the level of validation reporting depends on the size and complexity of the merchant business. The card brands have provided the following framework to identify merchant levels.

The information below determines if a merchant requires a Report on Compliance (ROC) or a Self-Assessment Questionnaire (SAQ).

Coalfire is a Qualified Security Assessor (QSA) company providing compliance services that range from Level-1 merchant onsite testing and independent ROC preparation to a cost-effective, streamlined SAQ for smaller merchants.

Service Providers

Any organization that processes, stores or transmits cardholder data is required to comply with the Payment Card Industry (PCI) Data Security Standard (DSS). In the case of third-party support, hosting, and other service providers, compliance with the PCI-DSS requires annual validation testing. Service providers determine their level and compliance requirements per the definitions below.

All Level-1 service providers must have an annual on-site review (ROC) conducted by a QSA. Coalfire is a Qualified Security Assessor (QSA) company authorized by the PCI Security Standards council. We've performed hundreds of service-provider assessments and have leveraged that experience to develop industry-leading audit practices that help guide service-provider compliance efforts.

For Level-1 service providers, Coalfire offers a wide range of on-site testing and validation reporting services; and for smaller service providers, we offer an online portal to quickly complete self assessment reports and manage evidence to prove compliance achievement. Our cost-effective Consolidated Audit Program (CAP) solution combines the PCI ROC and SAS70 audits because they both review similar controls. This program reduces time, cost, and the impact on staff and operations by completing these audits simultaneously.

Payment Application Developers

The recent wave of highly publicized data breaches in the retail industry has increasingly been tracked to a significant weakness in payment applications. Accordingly, the card brands have established a joint program that requires merchants to deploy only payment applications that have been validated to the PCI Council Payment Application-Data Security Standard (PA-DSS). While current merchant compliance to their own PCI Data Security Standard (PCI DSS) requirements may be difficult to achieve without validated payment applications, use of validated payment applications is not mandatory until July 2010.

However, many merchants are facing enterprise-level change management barriers to deploy payment applications across their operation. This extensive upgrade typically requires a year or more of planning and implementation. In many cases, local merchant application customization will require months of integration and testing in their own test facilities. As a result, developers and payment application vendors are rapidly updating application security and completing associated testing to complete the PA-DSS validation process.

Coalfire is a Payment Application-Qualified Security Assessor (PA-QSA) company and has leveraged years of application testing in the banking and electronic payments industries to provide a proven PA-DSS application testing and validation reporting platform. This easy-to-use, streamlined process enables most developers to quickly identify compliance gaps, manage application changes, and consolidate test evidence into a secure portal to both assure compliance and contain the cost of achieving compliance. This revolutionary approach to portal-based compliance management empowers developers to more easily achieve compliance in year one and to maintain compliance with new versions.